Security Flaw in LibSSH Allows Hackers to Take Over Servers
If your server is using the implementation library known as libssh to implement your Secure Shell (SSH) remote login protocol, you should know about a recent discovery of a significant vulnerability that could allow someone to log into vulnerable servers without proper login credentials.
This flaw, occurring in libssh versions 0.6 or later, allows a hacker to bypass authentication altogether, thus allowing them to gain access to unpatched servers. Read on to learn more about this latest discovery and more importantly, how to secure your computer systems to avoid this latest attack.
The Exploitation – How It Works
The vulnerability is actually a four year old vulnerability that was eventually relayed to libssh developers on June 25th of this year. Unfortunately, the flaw in actual use is quite simple. A hacker need only send a “SSH2_MSG_USERAUTH_SUCCESS” to a vulnerable server at the time it is expecting a “SSH2_MSG_USERAUTH_REQUEST” message.
The flaw occurs because the libssh library does not determine who sent the successful login packet, whether it was the server or a client. In addition, the mechanism to check whether the authentication process is complete or not does not take place. All a hacker needs to do to gain entry to a vulnerable server without the use of a password is to send a “SSH2_MSG_USERAUTH_SUCCESS” response and they are then granted access.
Although the vulnerability was alive and well for over four years, at least at this point there is a resolution available. A patch for the vulnerability, known as “CVE-2018-10933” is now available.
The patched versions of libssh are 0.8.4 and 0.7.6. Once again, the vulnerability occurred in libssh versions 0.6, along with subsequent versions.